MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f8c7788c7ce23bead2ccae4724fe05e277007f2caed3eedfef6103a4bbfabae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	5f8c7788c7ce23bead2ccae4724fe05e277007f2caed3eedfef6103a4bbfabae
SHA3-384 hash:	bab7128aee89bdd1a98cc12d94c1de13fcaa035e495d5327a4b4bae8ec3ce2dafd526701b8123d6acc2ac6d7100a201b
SHA1 hash:	1219800bf00e92c930691bbbade57e920a4d2356
MD5 hash:	f0814e9fab4ec1629aa9ef8a273366df
humanhash:	red-connecticut-green-stairway
File name:	payment proof.scr.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	41'392 bytes
First seen:	2020-12-18 14:06:32 UTC
Last seen:	2020-12-19 06:55:09 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	768:UIidb8zN3b9SfgMnqcJbl6yfY8v8jEA+VE713eXxuOzRq9OGflvx/FIwJGuDJpUi:UIiYN3b9SHpbl66DvWEA+w0uOzRYUf6
Threatray	2 similar samples on MalwareBazaar
TLSH	750363EA630D8ED3E58EF730B20311376612953B366B07AFD0AD13A3D45578427DA94B
Reporter	James_inthe_box
Tags:	AgentTesla exe

Code Signing Certificate

Organisation:	Aefcdac
Issuer:	Aefcdac
Algorithm:	sha256WithRSAEncryption
Valid from:	Dec 17 23:18:03 2020 GMT
Valid to:	Dec 17 23:18:03 2021 GMT
Serial number:	5172CAA2119185382343FCBE09C43BEE
Thumbprint Algorithm:	SHA256
Thumbprint:	8949CDF5D8E5028DD777A60BFDE69620EAF3B539531720DEA9066A297836CB16
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

198

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

payment proof.scr.exe

Verdict:

Malicious activity

Analysis date:

2020-12-18 14:10:08 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/12dc0111-47ea-496c-acb8-9c3ead196b76

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/108422/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.45056423.21912.2578.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Running batch commands

Creating a process with a hidden window

Launching a process

DNS request

Unauthorized injection to a recently created process

Creating a file

Creating a window

Using the Windows Management Instrumentation requests

Sending a UDP request

Sending a TCP request to an infection source

Result

Gathering data

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/566331

Signature

.NET source code contains very large array initializations

Connects to a pastebin service (likely for C&C)

Executable has a suspicious name (potential lure to open the executable)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses the Telegram API (likely for C&C communication)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5f8c7788c7ce23bead2ccae4724fe05e277007f2caed3eedfef6103a4bbfabae/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-12-18 14:06:27 UTC

File Type:

PE (.Net Exe)

AV detection:

12 of 28 (42.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=l6ghpcghzyr35ljmzlshet7alytxab7szlwt53p66yidus57voxa._file

Verdict:

unknown

AgentTesla

dd7f0e91b03b789878c81bc9677686df20e858989c69ee2002e90cc86e033c6b

AgentTesla

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/201218-m3fk5r2d42/

Behaviour

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

5f8c7788c7ce23bead2ccae4724fe05e277007f2caed3eedfef6103a4bbfabae

MD5 hash:

f0814e9fab4ec1629aa9ef8a273366df

SHA1 hash:

1219800bf00e92c930691bbbade57e920a4d2356

Link:

https://www.unpac.me/results/46df2edc-8aa0-4b57-937e-2fa1ef3bfc2f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Dropper

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/5f8c7788c7ce23bead2ccae4724fe05e277007f2caed3eedfef6103a4bbfabae

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/108422/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample